Give to Samba, the ability to join an IPv4-Only DC, into a Dual-Stacked Domain Controller.

Sat Aug 9 21:26:08 MDT 2014

Hello,

 To make the adoption of IPv6, in IPv4 networks that have `Samba4 AD DC`,
more smooth / robust, I think that it is vital to give to Samba4, the
ability to join an "IPv4-Only Secondary DC", into a Dual-Stacked Primary
DC. This doesn't work today (BUG:
https://bugzilla.samba.org/show_bug.cgi?id=10729).

 Otherwise, these days, to enable IPv6 within a "Samba4 AC DC Network", it
is a requirement to enable it, *simultaneously*, on each and every network
controlled by Samba4 AD DC + Bind9!! Am I right?!

 But, I truly believe that the migration to IPv6 needs to be done in small
steps, one network at a time. And/or, go IPv6-Only if you can (I already
have lots of IPv6-Only subnets, it works great, no NAT to deal with)...

 Pragmatically speaking, `samba-tool` must be able to join an "IPv4-Only
Secondary DC", into a Dual-Stacked "Samba4 AC DC" and, of course, Samba4
daemons must handle this too (i.e. the IPv4-Only daemons should not try to
connect to others DCs via IPv6, like it tries today, just because their
have an `AAAA DNS Record`).

Exemplifying:

 * Env: Ubuntu 14.04 + Samba 4.1.6 from its packages

 I have two `Samba4 AC DC` Master / Replica, both located in my office,
dual-stacked (IPv4 + IPv6), working
like a charm.

 Now, I need to deploy a third DC, located within Amazon EC2, which does
NOT have IPv6. But `samba-tool` fails to join it.

---
1- ubuntu-ad-1 - Master - ok - office LAN1 - IPv4 / IPv6 (Dual-Stacked)
2- ubuntu-ad-2 - Slave1 - ok - office LAN2 - IPv4 / IPv6 (Dual-Stacked)

3- ubuntu-ad-3 - Slave2 - can't join - AWS EC2 VPC - IPv4-Only
---

 At "ubuntu-ad-3", its DNS (resolv.conf) points to "IPv4 of ubuntu-ad-1 and
2", Kerberos works:

---
root at ubuntu-ad-3:~# kinit administrator
Password for administrator at CENTRAL.DOMAIN.COM.BR:
Warning: Your password will expire in 40 days on Thu 28 Aug 2014 05:56:10
PM UTC
---

 Samba-tool, when it sees the AAAA record, it then tries to use it, even if
its host doesn't have IPv6 connectivity. I understand that IPv6 should be
preferred but, only when the machine have it...

---
root at ubuntu-ad-3:~# strace -f -e trace=network samba-tool domain join
CENTRAL.DOMAIN.COM.BR DC -Uadministrator --realm=CENTRAL.DOMAIN.COM.BR
--dns-backend=BIND9_DLZ
.....
[pid  1533] +++ killed by SIGKILL +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=1533,
si_status=SIGKILL, si_utime=0, si_stime=0} ---
socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP) = 5
setsockopt(5, SOL_IPV6, IPV6_V6ONLY, [1], 4) = 0
connect(5, {sa_family=AF_INET6, sin6_port=htons(389), inet_pton(AF_INET6,
"2008:29Y:XXX:85Xa::66XX", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0},
28) = -1 ENETUNREACH (Network is unreachable)
ERROR(exception): uncaught exception - Failed to find a writeable DC for
domain 'CENTRAL.DOMAIN.COM.BR'
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 552,
in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1150, in
join_DC
    machinepass, use_ntvfs, dns_backend, promote_existing)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 76, in
__init__
    ctx.server = ctx.find_dc(domain)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 262, in
find_dc
    raise Exception("Failed to find a writeable DC for domain '%s'" %
domain)
+++ exited with 255 +++
---

 Then, I tried to remove the AAAA records from `ubuntu-ad-1 & 2`, just to
check if `ubuntu-ad-3` was able o join and it joined but, it triggered a
lots of errors on all DCs... Forcing me to re-provision the domain from
scratch (now IPv4-Only at office too, bad) (I'm too lame to fix Samba4
internal dbs, so, I always restart it from the beginning (domain provision)
if something bad happens)

 Now, I disabled IPv6 (very sad) at my Office's DCs (ubuntu-ad-1 and
ubuntu-ad-2), just to be able to deploy a secondary DC within Amazon EC2
(IPv4-Only networks)... I don't think I can re-enable IPv6 at my Office's
`Samba4 AD DC`, just because one of my remote legacy (AWS EC2) networks,
still doesn't have IPv6...     :'(

 I think that it will be awesome to be able to mix "IPv6-Only +
Dual-Stacked + IPv4-Only" Networks in Samba! Don't you guys think?! This
way, it will be much easier to start deploying IPv6 here and there, without
enabling it everywhere at once, to not mess with your AD.

 BTW, I posted this message on Samba Users mail list but, I think that here
is a better place to talk about this subject...

Cheers!
Thiago